diff --git a/docs/source/reference/auth.rst b/docs/source/reference/auth.rst index 4fca6cc75..2f43cc4e2 100644 --- a/docs/source/reference/auth.rst +++ b/docs/source/reference/auth.rst @@ -7,8 +7,23 @@ wis2box provides built in access control for the WAF and API on a topic hierarch using the wis2box command line utility. Authentication tokens are only required for topics that have access control configured. -Adding Access Control ---------------------- +In addition, wis2box restricts access to the execution of wis2box processes and PUT/POST/DELETE requests to the stations collection. + +Access control on paths +----------------------- + +To add a token to the execution of a wis2box process, use the following command: + +.. code-block:: bash + + wis2box auth add-token --path processes/wis2box myexecutiontoken + +To add a token to PUT/POST/DELETE requests to the stations collection, use the following command: + + wis2box auth add-token --path collections/stations mystationupdatetoken + +Adding Access Control on topics +------------------------------- All topic hierarchies in wis2box are open by default. A topic becomes closed, with access control applied, the first time a token is generated for a topic hierarchy. @@ -33,8 +48,8 @@ Token credentials can be validated using the wis2box command line utility. .. code-block:: bash wis2box auth show - wis2box auth has-access --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop mytoken - wis2box auth has-access --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop notmytoken + wis2box auth has-access-topic --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop mytoken + wis2box auth has-access-topic --topic-hierarchy mwi.mwi_met_centre.data.core.weather.surface-based-observations.synop notmytoken Once a token has been generated, access to any data of that topic in the WAF or API requires token authentication. diff --git a/wis2box-management/docker/entrypoint.sh b/wis2box-management/docker/entrypoint.sh index cb5382f46..18b0bd203 100755 --- a/wis2box-management/docker/entrypoint.sh +++ b/wis2box-management/docker/entrypoint.sh @@ -40,10 +40,32 @@ curl https://wmo-im.github.io/wis2-topic-hierarchy/all.json.zip --output /tmp/al cd ~/.pywcmp/wis2-topic-hierarchy && unzip -j /tmp/all.json.zip # wis2box commands +# TODO: avoid re-creating environment if it already exists +# TODO: catch errors and avoid bounce in conjuction with restart: always wis2box environment create -wis2box environment show +wis2box environment show | grep -v "password" | grep -v "PASSWORD" # avoid printing passwords in logs wis2box api setup wis2box metadata discovery setup wis2box metadata station publish-collection + +# Check if the path is restricted and capture the output +is_restricted=$(wis2box auth is-restricted-path --path processes/wis2box) +if [ "$is_restricted" = "True" ]; then + echo "processes/wis2box execution is restricted" +else + echo "restricting processes/wis2box" + # Add the token + wis2box auth add-token --path processes/wis2box -y +fi +# repeat for collections/stations +is_restricted=$(wis2box auth is-restricted-path --path collections/stations) +if [ "$is_restricted" = "True" ]; then + echo "collections/stations execution is restricted" +else + echo "restricting collections/stations" + # Add the token + wis2box auth add-token --path collections/stations -y +fi + echo "END /entrypoint.sh" exec "$@" diff --git a/wis2box-management/wis2box/auth.py b/wis2box-management/wis2box/auth.py index 0b8336788..f8e5c0a8c 100644 --- a/wis2box-management/wis2box/auth.py +++ b/wis2box-management/wis2box/auth.py @@ -112,21 +112,34 @@ def auth(): @click.command() @click.pass_context @cli_helpers.OPTION_TOPIC_HIERARCHY -def is_restricted(ctx, topic_hierarchy): +def is_restricted_topic(ctx, topic_hierarchy): """Check if topic has access control""" th, _ = validate_and_load(topic_hierarchy) click.echo(not is_resource_open(th.dotpath)) +@click.command() +@click.pass_context +@click.option('--path', '-p') +def is_restricted_path(ctx, path): + """Check if path has access control""" + click.echo(not is_resource_open(path)) @click.command() @click.pass_context @cli_helpers.OPTION_TOPIC_HIERARCHY @click.argument('token') -def has_access(ctx, topic_hierarchy, token): +def has_access_topic(ctx, topic_hierarchy, token): """Check if a token has access to a topic""" th, _ = validate_and_load(topic_hierarchy) click.echo(is_token_authorized(th.dotpath, token)) +@click.command() +@click.pass_context +@click.option('--path', '-p') +@click.argument('token') +def has_access_path(ctx, path, token): + """Check if a token has access to a path""" + click.echo(is_token_authorized(path, token)) @click.command() @click.pass_context @@ -177,5 +190,7 @@ def remove_token(ctx, topic_hierarchy, path, token): auth.add_command(add_token) auth.add_command(remove_token) -auth.add_command(has_access) -auth.add_command(is_restricted) +auth.add_command(has_access_topic) +auth.add_command(has_access_path) +auth.add_command(is_restricted_topic) +auth.add_command(is_restricted_path)